Microsoft’s Patch Address More Than 110 Vulnerabilities, Including a Windows flaw

Chrome

More than 110 bugs are covered by Microsoft’s Fix Tuesday patches for November 2020, including a Windows bug that Google recently revealed after it was discovered to be used in attacks.

The actively exploited Windows vulnerability is tracked as CVE-2020-17087 and is defined as a Windows Kernel Cryptography Driver-related local privilege escalation problem.

In late October, several days after its researchers found the loophole being used in attacks alongside a Chrome bug, Google Project Zero revealed specifics of the flaw.

Google patched the Chrome flaw, known as CVE-2020-15999, on October 20 with a Chrome 86 update. By having the intended user to visit a website hosting a specially created font file, it can be abused for arbitrary code execution.

To break out of the Chrome sandbox and execute malicious code on the targeted device, the Windows and Chrome vulnerabilities may be connected.

Microsoft said it had begun working on a fix after Google announced the Windows bug last month, but added that its goal is to “help ensure full user security with minimum customer disturbance.”

A total of 17 critical bugs, most of which can be used for remote code execution, were patched by Microsoft this month. Many of the essential bugs influence the Microsoft Store extensions available.

The bugs have a major effect on Azure Sphere, Windows, apps, Dynamics 365, Workplace, SharePoint, Visual Studio, and other products, and can be used to fake attacks, DoS attacks, elevate rights, circumvent security features, and gather details.

This week, Microsoft announced that it had modified its security advisory style. The section explaining the vulnerability and how it can be abused does not include the latest advisories and instead attempts to provide the data through the Common Vulnerability Scoring System (CVSS).

In the company’s Link and Reader Mobile products, Adobe’s Fix Tuesday patches patch vulnerabilities.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.